How 21st century security teams can stop phishing schemes from stealing enterprise data

null

Letter scams have been around for hundreds of years, but people are still falling for them in 2018.    

Take the Nigerian prince phishing scam. Users receive an email from a ‘Nigerian prince’ in need of immediate financial assistance with the promise of a handsome monetary reward at the end. All users have to do is wire this prince money directly into his account or send him their bank account information.   

Of course, there is no Nigerian prince and it’s hard to believe anyone still falls for the ridiculous scam considering it’s been around since the French Revolution. In fact, the Nigerian email scam is simply the digital reinvention of the Spanish Prisoner scam, which dominated the days of snail mail during the Spanish American War. Nevertheless, phishing scams continue to launder thousands of dollars out of people’s bank accounts, fetching thieves millions every year.   

Today, hackers have adopted phishing to reel in even bigger catches, targeting accounts payable teams at Fortune 500 companies to initiate fraudulent wire transfers and swipe employee credentials. Employees are presented with seemingly legitimate web pages where they are asked to enter their user credentials, immediately granting hackers access to entire servers. Unlike brute force hackers or weathering a distributed denial-of-service attack, phishing scams are largely avoidable because employees can be taught to recognize bogus emails before sharing sensitive information. 

If the Nigerian prince email is any indication, phishing schemes are never going to disappear from the internet. With data leaks top of mind, corporate security teams need to get a step ahead of email scams and ensure employee mishaps are not the cause of tomorrow’s latest security breach.   

Gone phishing: how employee behaviors are contributing to hackers’ success rates 

All it takes is one employee to take the phishing bait for sensitive business information to fall into the hands of thieves. 

With a business email compromise (BEC) scheme, hackers impersonate a trusted entity to convince unsuspecting employees to hand over the keys to the business. Hackers pretending to be an accounting executive might ask employees to verify their personal information in an email or convince users to download infected payroll documents to their computer.   

While no one wants to admit being the victim of a phishing scheme, a 2016 Verizon study found 30 percent of all phishing emails are opened, so it’s no wonder phishing remains a popular tool in a hacker’s repertoire. When an employee falls for a phishing scheme, one of two things can happen:   

1. Personal information is handed over to hackers  

Hackers pretending to be trusted individuals trick users into revealing sensitive data, such as payroll information, social security numbers and employee login credentials. In Kansas, for example, university employees fell victim to a phishing scheme asking them to re-submit their direct deposit account numbers. The attackers were then able to access the victims’ bank accounts directly after the employees gave away their login credentials. 

2. Malware is downloaded and infects the victim’s computer  

Instead of sending a webpage link, some hackers ask targets to download a file attached to the email. The seemingly innocuous zip files and Microsoft Word documents are actually embedded with malicious code, releasing a virus onto the victim’s computer. If an attachment contains ransomware, for example, hackers can lock employees out of their workspace and threaten to publish any files found on the desktop unless the employer pays the ransom. 

Simply sending reminders to not click on suspicious emails is not enough to deter employees from opening phishing scams. Hackers are growing increasingly sophisticated, making it harder for employees to distinguish between what is real and what isn’t. To stop employees from falling for dangerous phishing schemes, organizations will need to better educate teams about email security and implement technical controls to reduce the possibility of a successful phishing attempt.   

Combining education and technical controls to mitigate phishing-based leaks 

While security teams can’t control hacker activity, they can take steps to keep spam emails from landing in inboxes and teaching employees to not open suspicious emails when they do.   

Educating teams to recognize and report phishing schemes is the first step in combating spam emails. Instead of blaming untrained workers for accidentally clicking malicious links, businesses should help employees build better emailing habits by: 

1. Showing them real phishing examples  

From minor spelling errors to shortened URLs, there are several red flags employees can watch for to determine the validity of an email. Security teams can familiarize employees with phishing schemes by showing them past email scams and helping them identify what is legitimate and what is not. 

2. Testing their ability to identify and report scams    

After employees learn the ins and outs of phishing, organizations should regularly test their team’s ability to respond to email scams. Administrators can send fake phishing emails and monitor who is reporting them appropriately and who needs additional email training. 

In addition to building employee awareness, organizations should adopt a layered security approach to reduce the risk of phishing-based data leaks and loss. Proactive measures, like routinely updating software programs and requiring employees to use an authorized VPN to access servers, can help network IT teams monitor company-wide security. Businesses can also: 

  • Enforce stronger user credentials that require more than a username and password, such as implementing two-factor or biometric authentication 
  • Set up advanced spam filters to actively stop phishing emails from breaching security perimeters and reaching their intended target 
  • Develop a security breach response plan in the case an employee accidentally opens a fraudulent email to mitigate damage 

Phishing schemes are one of the most popular tricks a hacker can use because they work but enterprises can teach their employees how to avoid falling for fraudulent emails. Proper education, technical controls and an overall awareness of the types of scams hackers employ go a long way in helping enterprises avoid becoming a victim of phishing-based data leaks.   

Francis Dinha, CEO and Co-Founder of OpenVPN 

Image Credit: wk1003mike / Shutterstock